docker-compose/docker-compose.yml

# To note, if I am using an env_file to /srv/docker/config/secrets/*,
# then I have taken the ENV variable with a password for that container and
# put it into a separate file (1 place for common pwds like for ldap, but also so this file can be shared safely)
services:
  traefik:
    container_name: traefik
    image: traefik:latest
    restart: always
    network_mode: host
    command:
#      - "--log.level=DEBUG"
      - "--api.dashboard=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.file=true"
      - "--providers.file.directory=/configuration/"
      - "--providers.file.watch=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.secureweb.address=:443"
      - "--accessLog"
      - "--accessLog.filePath=/var/log/access.log"
      - "--accesslog.fields.names.StartUTC=drop"
      - "--accesslog.filters.statuscodes=400-599"
      - "--accesslog.filters.minduration=50ms"
      # cert resolver (PROD)
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.email=postmaster@depaoli.id.au"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=Host(`traefik.ddp.net`)"
      - "traefik.http.routers.dashboard.entrypoints=web"
      # too many other ports (80, 443) so we have to be explicit & with network_mode: host traefik routes to localhost:8080
      - "traefik.http.services.dashboard.loadbalancer.server.port=8080"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "last.commit.url=https://api.github.com/repos/traefik/traefik/commits"
    depends_on:
      - adguard
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /srv/docker/container/traefik/:/configuration
      - /srv/docker/container/traefik/var/log/:/var/log/
      - /srv/docker/container/letsencrypt/etc:/letsencrypt
      - /etc/localtime:/etc/localtime:ro

  sonarr:
    container_name: sonarr
    image: linuxserver/sonarr:latest
    restart: always
    environment:
      - TZ=Australia/Melbourne
      - PUID=500
      - PGID=500
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.sonarr.rule=Host(`son.depaoli.id.au`)"
      - "traefik.http.routers.sonarr.tls=true"
      - "traefik.http.routers.sonarr.entrypoints=secureweb"
      - "traefik.http.routers.sonarr.tls.certresolver=myresolver"
      - "last.commit.url=https://api.github.com/repos/linuxserver/docker-sonarr/commits"
    depends_on:
      - adguard
    volumes:
      - /srv/docker/container/sonarr/config:/config
      - /export/docker/storage/downloads:/downloads
      - /export/docker/storage/series:/tv
      - /etc/localtime:/etc/localtime:ro

  radarr:
    container_name: radarr
    image: linuxserver/radarr:latest
    restart: always
    environment:
      - TZ=Australia/Melbourne
      - PUID=500
      - PGID=500
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.radarr.rule=Host(`rad.depaoli.id.au`)"
      - "traefik.http.routers.radarr.tls=true"
      - "traefik.http.routers.radarr.entrypoints=secureweb"
      - "traefik.http.routers.radarr.tls.certresolver=myresolver"
      - "last.commit.url=https://api.github.com/repos/linuxserver/docker-radarr/commits"
    depends_on:
      - adguard
    volumes:
      - /srv/docker/container/radarr/config:/config
      - /export/docker/storage/downloads:/downloads
      - /export/docker/storage/movies:/movies
      - /etc/localtime:/etc/localtime:ro

  readarr:
    container_name: readarr
    image: linuxserver/readarr:nightly
    restart: always
    environment:
      - TZ=Australia/Melbourne
      - PUID=500
      - PGID=500
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.readarr.rule=Host(`readarr.ddp.net`)"
      - "traefik.http.routers.readarr.entrypoints=web"
      - "last.commit.url=https://api.github.com/repos/Readarr/Readarr/commits"
    depends_on:
      - adguard
    volumes:
      - /srv/docker/container/readarr/config:/config
      - /export/docker/storage/downloads:/downloads
      - /export/docker/storage/books:/books
      - /etc/localtime:/etc/localtime:ro

  calibre:
    container_name: calibre
    image: linuxserver/calibre:latest
    restart: always
    environment:
      - TZ=Australia/Melbourne
      - PUID=500
      - PGID=500
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.calibre.service=calibre"
      - "traefik.http.routers.calibre.rule=Host(`calibre.ddp.net`)"
      - "traefik.http.services.calibre.loadbalancer.server.port=8080"
      - "traefik.http.routers.calibre.entrypoints=web"
      - "traefik.http.routers.calibreweb.service=calibreweb"
      - "traefik.http.routers.calibreweb.rule=Host(`calibreweb.ddp.net`)"
      - "traefik.http.services.calibreweb.loadbalancer.server.port=8081"
      - "traefik.http.routers.calibreweb.entrypoints=web"
      - "last.commit.url=https://api.github.com/repos/linuxserver/docker-calibre/commits"
    depends_on:
      - adguard
    volumes:
      - /srv/docker/container/calibre/config:/config
      - /etc/localtime:/etc/localtime:ro

  # this is running network_mode: host to be on 192.168.0/24 subnet, so that
  # direct play on tv works (from memory)
  emby:
    container_name: emby
#    image:  emby/embyserver:latest
    image: emby/embyserver:4.9.0.45
    restart: always
    network_mode: host
    environment:
      - UID=500
      - GID=500
      # 44 is for /dev/dri/card driver support / 110 for AMD transcoding
      - GIDLIST=44,110
      - TZ=Australia/Melbourne
    volumes:
      - /srv/docker/container/emby/config:/config
      - /srv/docker/container/emby/transcode:/transcode
      - /export/docker/storage:/data
      - /export/myth/tv:/myth-recordings
      - /etc/localtime:/etc/localtime:ro
    devices:
      - /dev/dri:/dev/dri
    depends_on:
      - adguard
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.emby.rule=Host(`emby.depaoli.id.au`)"
      # to note with network_mode: host, this works via localhost --> traefik routes this to http://localhost:8096"
      - "traefik.http.services.emby.loadbalancer.server.port=8096"
      - "traefik.http.routers.emby.tls=true"
      - "traefik.http.routers.emby.entrypoints=secureweb"
      - "traefik.http.routers.emby.tls.certresolver=myresolver"
      - "last.commit.url=https://api.github.com/repos/MediaBrowser/Emby.Releases/commits"

  # fail2ban might need a better whitelist? (I had internal docker ips in my quick fudge as well?)
  mail:
    image: docker.io/mailserver/docker-mailserver:15.0.2
    hostname: depaoli.id.au
    domainname: depaoli.id.au
    container_name: mail
    restart: always
    ports:
      - "0.0.0.0:25:25"
      - "0.0.0.0:465:465"
      - "0.0.0.0:587:587"
      - "0.0.0.0:993:993"
    labels:
      # somehow watchtower keeps restarting mail even without an update AND the mailserver emails me with updates anyway
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.mail.rule=Host(`rspamd.ddp.net`)"
      - "traefik.http.services.mail.loadbalancer.server.port=11334"
      - "traefik.http.routers.mail.entrypoints=web"
      - "last.commit.url=https://api.github.com/repos/docker-mailserver/docker-mailserver/commits"
    depends_on:
      - adguard
      - openldap
    volumes:
      - /srv/docker/container/mail/data:/var/mail
      - /srv/docker/container/mail/state:/var/mail-state
      - /srv/docker/container/mail/log:/var/log/mail
      - /srv/docker/container/mail/config/:/tmp/docker-mailserver/
      - /etc/localtime:/etc/localtime:ro
      # used (via .../mail/config/user-patches.sh) to insert a cron job running from .../mara-bin, and writing to .../monitoring-results)
      - /srv/docker/container/mail/mara-bin:/root/bin
      - /srv/docker/container/mail/monitoring-results:/monitoring-results
      # NOTE: depweb container gets traefik to manage depaoli.id.au cert (and store it into acme.json)
      - /srv/docker/container/letsencrypt/etc/acme.json:/etc/letsencrypt/acme.json:ro
    environment:
      - ENABLE_CLAMAV=1
      - ENABLE_FAIL2BAN=1
      - ENABLE_POSTGREY=0
      - ENABLE_UPDATE_CHECK=1
      - ENABLE_POP3=0
      # this allows users to manage their own sieves, not something we use at present
      - ENABLE_MANAGESIEVE=0
      # don't know if this can go to 1 or not, seems more for postscreen than rspamd, so not sure if it has always been off?
      - ENABLE_DNSBL=0
      # as per doco, enabling rspamd and disabling unneeded services (up to spamassassin)
      - ENABLE_RSPAMD=1
      - ENABLE_OPENDKIM=0
      - ENABLE_OPENDMARC=0
      - ENABLE_POLICYD_SPF=0
      - ENABLE_AMAVIS=0
      - ENABLE_SPAMASSASSIN=0
      - MOVE_SPAM_TO_JUNK=1
      # only greylist spammy emails
      - RSPAMD_GREYLISTING=1
      # if ppl move mail to junk -> inbox (spam) or reverse (ham), learn from it
      - RSPAMD_LEARN=1
      # some hostname heuristics for dodgy mailservers using wrong syntax - adds header only at the moment, test and drop when we trust
      - RSPAMD_HFILTER=1
      # spoof prot stops anyone sending with an email address that doesn't match what they connected with 
      - SPOOF_PROTECTION=1
      - ONE_DIR=1
      - DMS_DEBUG=0
      - LOG_LEVEL=warn
      - ACCOUNT_PROVISIONER=LDAP
      - LDAP_SERVER_HOST=ldap://openldap:1389 # using IP, as we changed over container names (openldap->openldapnew)
      - LDAP_SEARCH_BASE=dc=depaoli,dc=id,dc=au
      - LDAP_BIND_DN=cn=admin,dc=depaoli,dc=id,dc=au
      - LDAP_QUERY_FILTER_USER=(&(mail=%s)(mailEnabled=TRUE))
      - LDAP_QUERY_FILTER_GROUP=(&(mailGroupMember=%s)(mailEnabled=TRUE))
      - LDAP_QUERY_FILTER_ALIAS=(mailAlias=%s)
      - LDAP_QUERY_FILTER_DOMAIN=(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))
      - DOVECOT_PASS_FILTER=(&(objectClass=PostfixBookMailAccount)(uid=%n))
      - DOVECOT_USER_FILTER=(&(objectClass=PostfixBookMailAccount)(uid=%n))
      - ENABLE_SASLAUTHD=1
      - SASLAUTHD_MECHANISMS=ldap
      - SASLAUTHD_LDAP_SERVER=ldap://openldap:1389
      - SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=depaoli,dc=id,dc=au
      - SASLAUTHD_LDAP_SEARCH_BASE=ou=users,dc=depaoli,dc=id,dc=au
      - SASLAUTHD_LDAP_FILTER=(&(uid=%U)(objectClass=person))
      - POSTMASTER_ADDRESS=postmaster@depaoli.id.au
      - POSTFIX_MESSAGE_SIZE_LIMIT=100000000
      - SSL_TYPE=letsencrypt
    env_file:
      - /srv/docker/config/secrets/ldap-mail-common
    cap_add:
      - NET_ADMIN

  openldap:
    image: bitnami/openldap:latest
    user: "2000"
    container_name: openldap
    restart: always
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "last.commit.url=https://api.github.com/repos/bitnami/containers/commits?path=bitnami/openldap"
    environment:
      BITNAMI_DEBUG: "true"
      LDAP_ROOT: "dc=depaoli,dc=id,dc=au"
      LDAP_ADMIN_USERNAME: "admin"
      LDAP_SKIP_DEFAULT_TREE: "yes"
      LDAP_CUSTOM_SCHEMA_DIR: "/schemas"
      LDAP_CUSTOM_LDIF_DIR: "/ldifs"
      LDAP_LOGLEVEL: "256"
    env_file:
        - /srv/docker/config/secrets/ldap-mail-common
    tty: true
    stdin_open: true
    depends_on:
      - adguard
    volumes:
      - /srv/docker/container/ldap/:/bitnami/openldap/
      - /srv/docker/container/ldap/bootstrap-schema:/schemas
      - /srv/docker/container/ldap/bootstrap-ldifs:/ldifs
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "0.0.0.0:389:1389"

  # webmail
  webmail:
    image: roundcube/roundcubemail:latest
    container_name: webmail
    restart: always
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.webmail.rule=Host(`webmail.depaoli.id.au`)"
      - "traefik.http.routers.webmail.entrypoints=secureweb"
      - "traefik.http.routers.webmail.tls=true"
      - "traefik.http.routers.webmail.tls.certresolver=myresolver"
      - "last.commit.url=https://api.github.com/repos/roundcube/roundcubemail/commits"
    volumes:
      - /srv/docker/container/roundcubemail/www:/var/www/html
      - /srv/docker/container/roundcubemail/db/sqlite:/var/roundcube/db
      - /srv/docker/container/roundcubemail/tmp/roundcube-temp:/tmp/roundcube-temp
      - /srv/docker/container/roundcubemail/var/roundcube/config:/var/roundcube/config
      - /etc/localtime:/etc/localtime:ro
    depends_on:
      - adguard
      - mail
      - openldap
    environment:
      - ROUNDCUBEMAIL_DB_TYPE=sqlite
      - ROUNDCUBEMAIL_SKIN=elastic
      - ROUNDCUBEMAIL_DEFAULT_HOST=ssl://depaoli.id.au
      - ROUNDCUBEMAIL_DEFAULT_PORT=993
      - ROUNDCUBEMAIL_SMTP_SERVER=ssl://depaoli.id.au
      - ROUNDCUBEMAIL_SMTP_PORT=465

  portainer:
    container_name: portainer
    image: portainer/portainer-ce:latest
    restart: always
    depends_on:
      - adguard
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /srv/docker/container/portainer/data:/data
      - /etc/localtime:/etc/localtime:ro
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.portainer.rule=Host(`portainer.ddp.net`)"
      # need to be explicit, as it also runs API ports, SSL ports, etc
      - "traefik.http.services.portainer.loadbalancer.server.port=9000"
      - "last.commit.url=https://api.github.com/repos/portainer/portainer/commits"

  # this is running network_mode: host so it is on the same subnet as the IoT
  # devices and can see/discover them
  hass:
    image: ghcr.io/home-assistant/home-assistant:latest
    container_name: hass
    privileged: true
    network_mode: host
    restart: always
    security_opt:
      - seccomp:unconfined
    depends_on:
      - adguard
      - openldap
    volumes:
      - /srv/docker/container/hass:/config
      # this line adds known hosts file to /root's .ssh so the 'command line authenticaion' works on login on every new container
      - /srv/docker/container/hass/ssh/known_hosts:/root/.ssh/known_hosts
      - /var/run/docker.sock:/var/run/docker.sock
      - /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket
      - /etc/localtime:/etc/localtime:ro
      - /run/dbus:/run/dbus:ro
    labels:
      - "com.centurylinklabs.watchtower.enable=false"
      # to note traefik is used here, but handled via files due to use of "network_mode: host"
      - "traefik.enable=true"
      - "traefik.http.routers.hass.rule=Host(`hass.depaoli.id.au`)"
      # to note with network_mode: host, this works via localhost --> traefik routes this to http://localhost:8123"
      - "traefik.http.services.hass.loadbalancer.server.port=8123"
      - "traefik.http.routers.hass.tls=true"
      - "traefik.http.routers.hass.entrypoints=secureweb"
      - "traefik.http.routers.hass.tls.certresolver=myresolver"
      - "last.commit.url=https://api.github.com/repos/home-assistant/core/commits"

  # this runs in network_most host so that it can find the players automatically
  mass:
    image: ghcr.io/music-assistant/server:latest
    container_name: mass
    restart: always
    network_mode: host
    cap_add:
      - SYS_ADMIN
      - DAC_READ_SEARCH
    security_opt:
      - apparmor:unconfined
    depends_on:
      - adguard
      - emby
    volumes:
      - /srv/docker/container/mass/data:/data
      - /export/docker/storage/music:/music
      - /etc/localtime:/etc/localtime:ro
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.mass.rule=Host(`hass.depaoli.id.au`) && PathPrefix(`/mass/`)"
      - "traefik.http.routers.mass.tls=true"
      - "traefik.http.routers.mass.entrypoints=secureweb"
      - "traefik.http.middlewares.stripprefix-mass.stripprefix.prefixes=/mass"
      - "traefik.http.routers.mass.middlewares=stripprefix-mass@docker"
      - "traefik.http.routers.mass.tls.certresolver=myresolver"
      # to note with network_mode: host, this works via localhost --> traefik routes this to http://127.0.0.1:8095"
      - "traefik.http.services.mass.loadbalancer.server.port=8095"

  mosquitto:
    container_name: mosquitto
    image: eclipse-mosquitto:latest
    restart: always
    volumes:
      - /srv/docker/container/mosquitto:/mosquitto
      - /srv/docker/container/mosquitto/data:/mosquitto/data
      - /srv/docker/container/mosquitto/log:/mosquitto/log
      - /etc/localtime:/etc/localtime:ro
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "last.commit.url=https://api.github.com/repos/eclipse/mosquitto/commits"
    ports:
      - "0.0.0.0:1883:1883"    
    
  esphome:
    container_name: esphome
    image: esphome/esphome
    environment:
      - ESPHOME_DASHBOARD_USE_PING=true
    volumes:
      - /srv/docker/container/esphome/config:/config
      - /dev:/dev
      - /etc/localtime:/etc/localtime:ro
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.esphome.rule=Host(`esphome.ddp.net`)"
      - "traefik.http.routers.esphome.entrypoints=web"
      - "last.commit.url=https://api.github.com/repos/esphome/esphome/commits"
    restart: always
    privileged: true
    
  sabnzbd:
    image: linuxserver/sabnzbd:latest
    container_name: sabnzbd
    restart: always
    environment:
      - PUID=500
      - PGID=500
      - TZ=Australia/Melbourne
    depends_on:
      - adguard
    volumes:
      - /srv/docker/container/sabnzbd/:/config
      - /export/docker/storage/downloads:/downloads
      - /export/docker/storage/incomplete-downloads:/incomplete-downloads
      - /etc/localtime:/etc/localtime:ro
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.sabnzbd.rule=Host(`sab.ddp.net`)"
      - "traefik.http.routers.sabnzbd.entrypoints=web"
      - "last.commit.url=https://api.github.com/repos/linuxserver/docker-sabnzbd/commits"

  influxdb:
    image: influxdb:latest
    container_name: influxdb
    environment:
      - DOCKER_INFLUXDB_INIT_MODE=setup
      - DOCKER_INFLUXDB_INIT_ORG=mara
      - DOCKER_INFLUXDB_INIT_USERNAME=telegraf
      - DOCKER_INFLUXDB_INIT_BUCKET=telegraf
      - DOCKER_INFLUXDB_INIT_RETENTION=2w
      - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN=3qBckkybwMWoyZ16dqVD9gufoYYLwKkX_i296J30wekVpwxuCQe8p
    env_file:
      - /srv/docker/config/secrets/influxdb
    volumes:
      - /srv/docker/container/influxdb/data:/var/lib/influxdb2
      - /srv/docker/container/influxdb/config:/etc/influxdb2
      - /etc/localtime:/etc/localtime:ro
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.influxdb.rule=Host(`influx.ddp.net`)"
      - "traefik.http.routers.influxdb.entrypoints=web"
      - "last.commit.url=https://api.github.com/repos/influxdata/influxdb/commits"
    restart: always

  telegraf:
    image: telegraf:latest
    container_name: telegraf
    # needs to be 0 / root to run smartmontools / nvme
    user: "root"
    # this is used to add docker group to telegraf user for reading docker.sock and installing smartmontools, etc.
    entrypoint: /root/mara-init/entrypoint-wrapper.sh
    volumes:
      - /srv/docker/container/telegraf:/etc/telegraf
      - /srv/docker/container/telegraf/sudoers/smart:/etc/sudoers.d/smart
      - /srv/docker/container/telegraf/mara-init/entrypoint-wrapper.sh:/root/mara-init/entrypoint-wrapper.sh
      # for telegraf to get external script output
      - /srv/docker/container/telegraf/monitoring-results:/usr/local/external-results/mara
      - /srv/docker/container/mythtv/monitoring-results:/usr/local/external-results/myth
      - /srv/docker/container/mail/monitoring-results:/usr/local/external-results/mail
      - /srv/docker/container/mon/monitoring-results:/usr/local/external-results/kuma
      - /srv/docker/container/samba/monitoring-results:/usr/local/external-results/samba
      # for telegraf to see host details
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /:/host:ro
      - /run/udev:/run/udev:ro
      - /etc/localtime:/etc/localtime:ro
    privileged: true
    devices:
      - /dev:ro
    environment:
      - HOST_MOUNT_PREFIX=/host
      - HOST_PROC=/host/proc
      - HOST_SYS=/host/sys
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "last.commit.url=https://api.github.com/repos/influxdata/telegraf/commits"
    depends_on:
      - influxdb
    restart: always

  grafana:
    image: grafana/grafana:latest
    container_name: grafana
    restart: always
    depends_on:
      - influxdb
    volumes:
      - /srv/docker/container/grafana/grafana.ini:/etc/grafana/grafana.ini
      - /srv/docker/container/grafana/ldap.toml:/etc/grafana/ldap.toml
      - /srv/docker/container/grafana/data:/var/lib/grafana
      - /srv/docker/container/grafana/dashboards:/var/lib/grafana/dashboards
      - /srv/docker/container/grafana/grafana/provisioning:/etc/grafana/provisioning
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - /srv/docker/container/grafana/config.monitoring
      - /srv/docker/config/secrets/ldap-mail-common
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.grafana_ssl.rule=Host(`graf.depaoli.id.au`)"
      - "traefik.http.routers.grafana_ssl.tls=true"
      - "traefik.http.routers.grafana_ssl.entrypoints=secureweb"
      - "traefik.http.routers.grafana_ssl.tls.certresolver=myresolver"
      - "traefik.http.routers.grafana.rule=Host(`grafana.ddp.net`)"
      - "traefik.http.routers.grafana.entrypoints=web"
      - "last.commit.url=https://api.github.com/repos/grafana/grafana/commits"

  adguard:
    container_name: adguard
    image: adguard/adguardhome
    ports:
      - "192.168.0.2:53:53/tcp"
      - "192.168.0.2:53:53/udp"
    environment:
      TZ: 'Australia/Melbourne'
    volumes:
      - /srv/docker/container/adguard/conf:/opt/adguardhome/conf
      - /srv/docker/container/adguard/work:/opt/adguardhome/work
      - /etc/localtime:/etc/localtime:ro
    restart: always
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.adguard.rule=Host(`adguard.ddp.net`)"
      - "traefik.http.routers.adguard.entrypoints=web"
      - "traefik.http.services.adguard.loadbalancer.server.port=80"
      - "last.commit.url=https://api.github.com/repos/AdguardTeam/AdGuardHome/commits"

  bookdb_dev:
    container_name: bookdb_dev
    image: postgres:latest
    restart: always
    environment:
      POSTGRES_USER: ddp
      POSTGRES_DB: library
    env_file:
        - /srv/docker/config/secrets/bookdb-common
    depends_on:
      - adguard
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "last.commit.url=https://api.github.com/repos/postgres/postgres/commits"
    volumes:
      - /srv/docker/container/bookdb_dev/data:/var/lib/postgresql/data
      - /srv/docker/container/bookdb_dev/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
      - /etc/localtime:/etc/localtime:ro

  bookdb:
    container_name: bookdb
    image: postgres:17
    restart: always
    environment:
      POSTGRES_USER: ddp
      POSTGRES_DB: library
    env_file:
        - /srv/docker/config/secrets/bookdb-common
    depends_on:
      - adguard
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "last.commit.url=https://api.github.com/repos/postgres/postgres/commits"
    volumes:
      - /srv/docker/container/bookdb/data:/var/lib/postgresql/data
      - /srv/docker/container/bookdb/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
      - /etc/localtime:/etc/localtime:ro

  bookdev:
    container_name: bookdev
    restart: always
    environment:
      FLASK_ENV: "container"
    build:
      context: '/home/ddp/src/pybook'
      args:
        ENV: "container"
        BOOK_UID: "1000"
        BOOK_GID: "1000"
    depends_on:
      - bookdb_dev
      - adguard
    volumes:
      - /home/ddp/src/pybook/:/pybook_mapped_volume
      - /export/docker/storage/books/:/books
      - /etc/localtime:/etc/localtime:ro
    labels:
      - "com.centurylinklabs.watchtower.enable=false"
      - "traefik.enable=true"
      - "traefik.http.routers.bookdev.rule=Host(`bookdev.ddp.net`)"
      - "traefik.http.routers.bookdev.entrypoints=web"

  book:
    container_name: book
    restart: always
    environment:
      FLASK_ENV: "production"
    build: 
      context: '/home/ddp/src/pybook'
      args:
        ENV: "production"
        BOOK_UID: "1000"
        BOOK_GID: "1000"
    depends_on:
      - bookdb
      - adguard
    volumes:
      - /export/docker/storage/books:/books
      - /etc/localtime:/etc/localtime:ro
    labels:
      - "com.centurylinklabs.watchtower.enable=false"
      - "traefik.enable=true"
      - "traefik.http.routers.book.rule=Host(`book.depaoli.id.au`)"
      - "traefik.http.routers.book.tls=true"
      - "traefik.http.routers.book.entrypoints=secureweb"
      - "traefik.http.routers.book.tls.certresolver=myresolver"

  padb_dev:
    container_name: padb_dev
    image: postgres:latest
    restart: always
    # replace entrypoint to install cron and a cron job to backup users so we can rebuild the content from sqls
    entrypoint: /root/mara-init/entrypoint-wrapper.sh
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "last.commit.url=https://api.github.com/repos/postgres/postgres/commits"
    environment:
      POSTGRES_USER: pa
      POSTGRES_DB: pa
    env_file:
        - /srv/docker/config/secrets/padb-common
    depends_on:
      - adguard
    volumes:
      - /srv/docker/container/padb_dev/data:/var/lib/postgresql/data
      - /srv/docker/container/padb_dev/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
      - /srv/docker/container/padb_dev/mara-init:/root/mara-init
      - /srv/docker/container/padb_dev/mara-bin:/root/mara-bin
      - /etc/localtime:/etc/localtime:ro
    healthcheck:
      test: ["CMD", "pg_isready", "-U", "pa"]
      interval: 30s
      timeout: 10s
      retries: 5

  padb:
    container_name: padb
    image: postgres:17
    restart: always
    # replace entrypoint to install cron and a cron job to backup users so we can rebuild the content from sqls
    entrypoint: /root/mara-init/entrypoint-wrapper.sh
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "last.commit.url=https://api.github.com/repos/postgres/postgres/commits"
    environment:
      POSTGRES_USER: pa
      POSTGRES_DB: pa
    env_file:
        - /srv/docker/config/secrets/padb-common
    depends_on:
      - adguard
    volumes:
      - /srv/docker/container/padb/data:/var/lib/postgresql/data
      - /srv/docker/container/padb/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
      - /srv/docker/container/padb/mara-init:/root/mara-init
      - /srv/docker/container/padb/mara-bin:/root/mara-bin
      - /etc/localtime:/etc/localtime:ro
    healthcheck:
      test: ["CMD", "pg_isready", "-U", "pa"]
      interval: 30s
      timeout: 10s
      retries: 5

  padev:
    container_name: padev
    restart: always
    build: 
      context: '/home/ddp/src/photoassistant'
      args:
        # uid for ddp (for dev/container)
        PA_ID: "1000"
    environment:
      ENV: "container"
    depends_on:
      padb_dev:
        condition: service_healthy
    volumes:
      - /home/ddp/src/photoassistant:/home/ddp/src/photoassistant
      - /etc/localtime:/etc/localtime:ro
    labels:
      - "com.centurylinklabs.watchtower.enable=false"
      - "traefik.enable=true"
      - "traefik.http.routers.padev.rule=Host(`padev.ddp.net`)"
      - "traefik.http.routers.padev.entrypoints=web"

  pa:
    container_name: pa
    restart: always
    build: 
      context: '/home/ddp/src/photoassistant'
      args:
        # uid for mythtv (for prod)
        PA_ID: "500"
    environment:
      ENV: "production"
    depends_on:
      padb:
        condition: service_healthy
    volumes:
      - /export/docker/storage:/export/docker/storage
      - /etc/localtime:/etc/localtime:ro
    labels:
      - "com.centurylinklabs.watchtower.enable=false"
      - "traefik.enable=true"
      - "traefik.http.routers.pa.rule=Host(`pa.depaoli.id.au`)"
      - "traefik.http.routers.pa.tls=true"
      - "traefik.http.routers.pa.entrypoints=secureweb"
      - "traefik.http.routers.pa.tls.certresolver=myresolver"

  finplan:
    container_name: finplan
    restart: always
    environment:
      ENV: "production"
    # force using uid/gid of 1000/1000 so we can share dev/prod for now - may care enough 1 day to fix
    build: 
      context: '/home/ddp/src/finplan'
      args:
        USERID: "1000"
        GROUPID: "1000"
    user: "1000:1000"
    volumes:
      - /etc/localtime:/etc/localtime:ro
    labels:
      - "com.centurylinklabs.watchtower.enable=false"
      - "traefik.enable=true"
      - "traefik.http.routers.finplan.rule=Host(`finplan.ddp.net`)"
      - "traefik.http.routers.finplan.entrypoints=web"

  vaultwarden:
    container_name: vaultwarden
    restart: always
    image: vaultwarden/server:latest
    depends_on:
      - adguard
      - openldap
    volumes:
      - /srv/docker/container/vaultwarden:/data
      - /etc/localtime:/etc/localtime:ro
    environment:
      - "ORG_EVENTS_ENABLED=true"
    env_file:
      - /srv/docker/config/secrets/vaultwarden
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.vaultwarden.rule=Host(`bw.depaoli.id.au`)"
      - "traefik.http.routers.vaultwarden.tls=true"
      - "traefik.http.routers.vaultwarden.tls.options=tls12@file"
      - "traefik.http.routers.vaultwarden.entrypoints=secureweb"
      - "traefik.http.routers.vaultwarden.tls.certresolver=myresolver"
      - "last.commit.url=https://api.github.com/repos/dani-garcia/vaultwarden/commits"

  # auto-update docker images
  watchtower:
    container_name: watchtower
    image: containrrr/watchtower:latest-dev
    command: --schedule "0 0 3 * * *" --debug --stop-timeout 60s --label-enable --cleanup
    restart: always
    depends_on:
      - adguard
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "last.commit.url=https://api.github.com/repos/containrrr/watchtower/commits"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "/etc/localtime:/etc/localtime:ro"

  # used for hass (eufy) to get notifications from camera
  eufy_security_ws:
    image: bropat/eufy-security-ws:latest
    container_name: eufy_security_ws
    restart: always
    environment:
      - "USERNAME=eufy_hass@depaoli.id.au"
      - "COUNTRY=AU"
      - "DEBUG=-v"
      - "TRUSTED_DEVICE_NAME=Pixel Pro 7"
    env_file:
        - /srv/docker/config/secrets/eufy_security_ws
    ports:
      - "0.0.0.0:3000:3000"
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "last.commit.url=https://api.github.com/repos/bropat/eufy-security-ws/commits"
    depends_on:
      - adguard
    volumes:
      - "/srv/docker/container/eufy_security_ws/data:/data"
      - "/etc/localtime:/etc/localtime:ro"
      - "/etc/timezone:/etc/timezone:ro"

  # used for hass (eufy) to stream from camera
  rtsp_simple_server:
    image: aler9/rtsp-simple-server:latest
    container_name: rtsp_simple_server
    restart: always
    environment:
      - "RTSP_PROTOCOLS=tcp"
    ports:
      - "0.0.0.0:1935:1935"
      - "0.0.0.0:8554:8554"
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "last.commit.url=https://api.github.com/repos/bluenviron/mediamtx/commits"
    depends_on:
      - adguard
    volumes:
      - "/etc/localtime:/etc/localtime:ro"
    
# NOT YET - API calls don't match DB, need to wait
  mon:
    image: louislam/uptime-kuma:beta
    container_name: mon
    restart: always
    volumes:
      - /srv/docker/container/mon/data:/app/data
      - /srv/docker/container/mon/mara-bin:/root/mara-bin/
      - /srv/docker/container/mon/mara-init:/root/mara-init/
      - /var/run/docker.sock:/var/run/docker.sock:ro
      # used to transfer which containers we monitor through to telegraf
      - /srv/docker/container/mon/monitoring-results:/monitoring-results
      - /etc/localtime:/etc/localtime:ro
    entrypoint: /root/mara-init/entrypoint-wrapper.sh
    ports:
      - "0.0.0.0:3001:3001"
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.mon.rule=Host(`mon.depaoli.id.au`)"
      - "traefik.http.routers.mon.tls=true"
      - "traefik.http.routers.mon.entrypoints=secureweb"
      - "traefik.http.routers.mon.tls.certresolver=myresolver"
      - "last.commit.url=https://api.github.com/repos/louislam/uptime-kuma/commits"

  sshwifty:
    image: niruix/sshwifty:latest
    container_name: sshwifty
    user: "nobody:nobody"
    restart: always
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.sshwifty.rule=Host(`ssh.depaoli.id.au`)"
      - "traefik.http.routers.sshwifty.tls=true"
      - "traefik.http.routers.sshwifty.entrypoints=secureweb"
      - "traefik.http.routers.sshwifty.tls.certresolver=myresolver"
      - "last.commit.url=https://api.github.com/repos/niruix/sshwifty/commits"
    stdin_open: true
    tty: true
    volumes:
      - "/srv/docker/container/sshwifty/:/etc/"
      - "/etc/localtime:/etc/localtime:ro"

  mythdb:
    container_name: mythdb
    image: mariadb:latest
    restart: always
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "last.commit.url=https://api.github.com/repos/MariaDB/mariadb-docker/commits"
    environment:
      MYSQL_DATABASE: 'mythconverg'
      MYSQL_USER: 'mythtv'
      MYSQL_PASSWORD: 'mythtv'
      MYSQL_UID: 133
      MYSQL_GID: 140
    env_file:
        - /srv/docker/config/secrets/mythtv
    ports:
        - "0.0.0.0:3306:3306"
    volumes:
      - /srv/docker/container/mythtv/db/sql:/docker-entrypoint-initdb.d
      - /srv/docker/container/mythtv/db/data:/var/lib/mysql
      - /srv/docker/container/mythtv/db/log:/var/log/mysql
      - /srv/docker/container/mythtv/db/mythtv.cnf:/etc/mysql/mariadb.conf.d/mythtv.cnf
      - /etc/localtime:/etc/localtime:ro

  mythweb:
    container_name: mythweb
    image: ubuntu:latest
    hostname: mythweb
    restart: always
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
    entrypoint: /root/mara-init/entrypoint-wrapper.sh
    environment:
      APACHE_LOG_DIR: /var/log/apache2
      DBNAME: mythconverg
      DBSERVER: mythdb
      LANG: en_US.UTF-8
      LANGUAGE: en_US.UTF-8
      TZ: Australia/Melbourne
    volumes:
      - /srv/docker/container/mythtv/apache2:/var/log/apache2
      - /srv/docker/container/mythtv/data:/var/mythdata
      - /srv/docker/container/mythtv/home:/home/mythtv
      - /srv/docker/container/mythtv/ssh-config:/etc/ssh
      - /srv/docker/container/mythtv/var/log:/var/log/mythtv
      - /srv/docker/container/mythtv/mythweb/mara-init:/root/mara-init
      - /srv/docker/container/mythtv/mythweb/mara-bin:/root/mara-bin
      - /srv/docker/container/mythtv/monitoring-results:/monitoring-results
#      - /etc/localtime:/etc/localtime:ro
      - /export/myth:/export/myth
    ports:
      - "0.0.0.0:16543:80"
    env_file:
      - /srv/docker/config/secrets/mythtv
    depends_on:
      - mythdb


  # hacked entrypoint to 'add' to this container so it works as mara needs
  myth:
    container_name: myth
    image: ubuntu:latest
    hostname: ${HOSTNAME_MYTHTV:-mythtv}
    restart: always
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
    # needed to renice / ionice just the mythbackend process inside this container 
    # (it also runs cron, shepherd and various binaries out of /usr/local/bin)
    cap_add:
      - sys_nice
      - sys_admin
    environment:
      APACHE_LOG_DIR: /var/log/apache2
      DBNAME: mythconverg
      DBSERVER: mythdb
      LANG: en_US.UTF-8
      LANGUAGE: en_US.UTF-8
      TZ: Australia/Melbourne
    ports:
      - "0.0.0.0:6543:6543"
      - "0.0.0.0:6544:6544"
      - "0.0.0.0:6549:6549"
      - "0.0.0.0:6760:6760"
    entrypoint: /root/mara-init/entrypoint-wrapper.sh
    volumes:
      - /srv/docker/container/mythtv/apache2:/var/log/apache2
      - /srv/docker/container/mythtv/data:/var/mythdata
      - /srv/docker/container/mythtv/home:/home/mythtv
      - /srv/docker/container/mythtv/ssh-config:/etc/ssh
      - /srv/docker/container/mythtv/var/log:/var/log/mythtv
      - /srv/docker/container/mythtv/mara-init:/root/mara-init
      - /srv/docker/container/mythtv/mara-bin:/root/mara-bin
      - /srv/docker/container/mythtv/db/sql:/db-container/sql
      - /srv/docker/container/mythtv/db/backups:/db-container/backups
      - /srv/docker/container/mythtv/monitoring-results:/monitoring-results
#      - /etc/localtime:/etc/localtime:ro
      - /export/myth:/export/myth
      - /export/docker/storage/other-videos:/export/myth/videos
    devices:
      - /dev/dvb:/dev/dvb
    env_file:
      - /srv/docker/config/secrets/mythtv
    depends_on:
      - mythdb

  wiki:
    image: lscr.io/linuxserver/bookstack:latest
    container_name: wiki
    environment:
      - PUID=1000
      - PGID=1000
      - APP_URL=https://wiki.depaoli.id.au
      - DB_HOST=wikidb
      - DB_PORT=3306
    env_file:
        - /srv/docker/config/secrets/wiki
    volumes:
      - /srv/docker/container/wiki:/config
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
    depends_on:
      - wikidb
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.wiki.rule=Host(`wiki.depaoli.id.au`)"
      - "traefik.http.routers.wiki.tls=true"
      - "traefik.http.routers.wiki.entrypoints=secureweb"
      - "traefik.http.routers.wiki.tls.certresolver=myresolver"
      - "last.commit.url=https://api.github.com/repos/linuxserver/docker-bookstack/commits"

  wikidb:
    image: lscr.io/linuxserver/mariadb:latest
    container_name: wikidb
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Australia/Melbourne
    env_file:
        - /srv/docker/config/secrets/wiki
    volumes:
      - /srv/docker/container/wikidb/config:/config
      - /srv/docker/container/wikidb/data:/var/lib/mysql
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "last.commit.url=https://api.github.com/repos/linuxserver/docker-mariadb/commits"

#   shitster:
#     image: node:19-bullseye
#     container_name: shitster
#     working_dir: /app
#     volumes:
#        - /srv/docker/container/shitster:/app
#    labels:
#      - "com.centurylinklabs.watchtower.enable=false"
    
  web:
    image: php:apache
    container_name: web
    volumes:
      - /srv/docker/container/web/data:/var/www/html
      - /srv/docker/container/web/mara-init:/root/mara-init
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
    entrypoint: "/root/mara-init/entrypoint-wrapper.sh"
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      #- "traefik.http.routers.web.rule=Host(`myth.ddp.net`) && ( Path(`/`) || PathPrefix(`/images` ) || PathPrefix(`/mythweb`) )"
      - "traefik.http.routers.web.rule=Host(`myth.ddp.net`)"
      - "traefik.http.routers.web.entrypoints=web"
      - "last.commit.url=https://api.github.com/repos/docker-library/php/commits"

  # this container exists solely to have traefik manage the depaoli.id.au SSL
  # cert - the web server has no web content to serve
  depweb:
    image: php:apache
    container_name: depweb
    volumes:
      - /srv/docker/container/depweb/data:/var/www/html
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.depweb.rule=Host(`depaoli.id.au`)"
      - "traefik.http.routers.depweb.tls=true"
      - "traefik.http.routers.depweb.entrypoints=secureweb"
      - "traefik.http.routers.depweb.tls.certresolver=myresolver"
      - "last.commit.url=https://api.github.com/repos/docker-library/php/commits"

  samba:
    image: ubuntu:latest
    container_name: samba
    entrypoint: /root/mara-init/entrypoint.sh
    restart: always
    # forcing hostname so the samba sid is reliable
    hostname: sambacontainer
    ports:
      - "0.0.0.0:139:139"
      - "0.0.0.0:445:445"
    volumes:
      - /export:/export
      - /srv/docker/container/samba/monitoring-results:/monitoring-results
      - /srv/docker/container/samba/mara-init:/root/mara-init
      - /srv/docker/container/samba/mara-bin:/root/mara-bin
    depends_on:
      - adguard
      - openldap
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=false"

  ftp:
    image: ubuntu:latest
    container_name: ftp
    entrypoint: /root/mara-init/entrypoint.sh
    restart: always
    ports:
      # active ports
      - "0.0.0.0:20:20"
      - "0.0.0.0:21:21"
      # passive ports
      - "0.0.0.0:10090:10090"
      - "0.0.0.0:10091:10091"
      - "0.0.0.0:10092:10092"
    volumes:
      - /home:/home
      - /srv/docker/container/ftp/monitoring-results:/monitoring-results
      - /srv/docker/container/ftp/mara-init:/root/mara-init
      - /srv/docker/container/ftp/mara-bin:/root/mara-bin
    depends_on:
      - adguard
      - openldap
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=false"

  ftps:
    build: /srv/docker/container/ftps
    container_name: ftps
    restart: always
      #restart: unless-stopped
      #network_mode: host
    ports:
    # active ports
      - "40021:21"
    # passive ports
      - "30000-30010:30000-30010"
    volumes:
      - /home:/home
      - /srv/docker/container/ftps/certs:/etc/vsftpd/certs
      - /srv/docker/container/ftps/ftp_data:/var/ftp
      - /srv/docker/container/ftps/nslcd.conf.template:/etc/nslcd.conf.template
      - /srv/docker/container/ftps/vsftpd.conf:/etc/vsftpd.conf
      - /srv/docker/container/ftps/pam.d/vsftpd:/etc/pam.d/vsftpd
    env_file:
      - /srv/docker/container/ftps/.env
    depends_on:
      - adguard
    labels:
      - "com.centurylinklabs.watchtower.enable=false"

  cdpdev:
    image: node:latest
    container_name: cdpdev
    volumes:
      - /home/cam/code/quizzington-city:/app
    entrypoint: /app/init.sh
    environment:
      - CLIENT_URL=https://cdp.dev.depaoli.id.au
      - SERVER_PORT=3001
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.cdpdev.rule=Host(`cdp.dev.depaoli.id.au`)"
      - "traefik.http.routers.cdpdev.tls=true"
      - "traefik.http.routers.cdpdev.entrypoints=secureweb"
      - "traefik.http.routers.cdpdev.tls.certresolver=myresolver"
      - "traefik.http.services.cdpdev.loadbalancer.server.port=5173"

  homarr:
    container_name: homarr
    image: ghcr.io/homarr-labs/homarr:latest
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock # Optional, only if you want docker integration
      - /srv/docker/container/homarr/appdata:/appdata
    env_file:
      - /srv/docker/config/secrets/homarr
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.homarr.rule=Host(`homarr.ddp.net`) || Host(`mara.ddp.net`)"
      - "traefik.http.routers.homarr.entrypoints=web"
      - "traefik.http.services.homarr.loadbalancer.server.port=7575"
      - "last.commit.url=https://api.github.com/repos/homarr-labs/homarr/commits"